PR#173: Use PK11_FindCertFromNickname to find certificates instead of looping over the list of slots -

certmonger

#173 Use PK11_FindCertFromNickname to find certificates instead of looping over the list of slots

Merged Oct 20, 2020 by rcritten. Opened Oct 20, 2020 by rcritten.

rcritten/certmonger issue_8533 into master

Free public key information after storing and displaying

Rob Crittenden • Oct 20, 2020

f25222fcc36d004172599e56fef3fa5ea4b5fa78

certread-n: Look up certs using PK11_FindCertFromNickname()

Rob Crittenden • Oct 20, 2020

5e77bf10f253a17edd26c1041cc70659330ff702

Download 173.patch

rcritten commented Oct 20, 2020

IPA encountered a DBus timeout when starting tracking of the CA subsystem certificates. It turned out that PK11_ListCertsInSlot() was sometimes taking 13-14 seconds to return. The hardcoded DBus timeout is just 25 seconds so generally things would fail if this occurred.

There is no reason to loop over all the certificates manually since PK11_FindCertFromNickname() will do that for us, including caching values. Some care is required to structure the nickname to distinguish between internal certificates and those on a different token but its straightforward.

This also fixes an NSS shutdown error discovered when reading keys due to not freeing an object.